Sender Authentication: What Is It, and How Can It Help You?

In the era introduced by the Can Spam Act, how can you make sure your e-mails aren’t immediately being filtered into a junk folder? Sender authentication recently has emerged as both an opportunity for direct marketers to identify themselves and a tool to identify illegal spammers.

Stephen Guerra, e-mail communications strategist for Atlanta-based Silverpop, a provider of permission-based e-mail marketing solutions, answers common questions about sender authentication and how it works.

Idea Factory: How will sender authentication help direct marketers?
Guerra: Sender authentication will first benefit direct marketers by allowing them to clearly identify themselves when sending to Internet Service Providers (ISPs). Secondly, it will help the ISPs identify legitimate e-mailers from senders who fraudulently attempt to disguise their identity.

Later, as real-time reputation systems gain acceptance, sender authentication will function to properly verify sender identity, so ISPs can then use reputation systems as reliable guides to determine from which senders they wish to accept messages.

IF: What standards have been developed for sender authentication?
Guerra: Sender authentication technologies are still new, and for the most part, their standard usage is still being determined. While many ISPs are using some of the sender authentication technologies, most agree it is too early to begin discarding incoming messages based on sender authentication. Some of the largest ISPs have indicated they will likely first begin providing their users an indicator for messages that have failed sender-authentication tests.

IF: How does sender authentication prevent false positives?
Guerra: When you consider a prospective employee you will likely run a background check on them to get some idea of their repuation. Before you can do that, you have to verify they are who they say they are by examining some form of identification such as a driver’s license. In the world of e-mail, sender authentication is the driver’s license, and a reputation system is the background check. Taken together, these two technologies can allow ISPs to make better decisions when they decide to block or accept messages.

IF: Could you define Sender Policy Framework (SPF)?
Guerra: This system was originally authored in a grass-roots movement that was adopted by and championed by America Online. SPF is an e-mail protocol that allows recipient systems to verify that the sending server name listed in the message header agrees with the Internet Protocol (IP) address that sent the message. Faking the server name is very easy, but faking the IP address is extraordinarly difficult. SPF validates information that is visible to the ISP but is rarely visible to the person who will ultimately read the message.

IF: Could you define Sender ID?
Guerra: Sender ID is a blend of SPF and Caller ID, a protocol written by Microsoft. Sender ID can be implemented to verify the same information as SPF and can also verify that the IP address used is allowed to send on behalf of the sender listed in the From address. Sender ID can verify information that is visible to the reader of the message as well as information intended for the ISP.

IF: What is a reasonable timetable to implement a sender authentication program?
Guerra: Senders should ensure they are using SPF now, especially if they send to AOL recipients. The other protocols haven’t yet gained wide acceptance and don’t yet significantly affect deliverability. Senders should keep an eye on developments and be prepared to implement them as they become more accepted. Those senders who wish to take extra precatuions and want to gain experience with the technologies before they become widely used should implement Sender ID after SPF, then possibly implement Yahoo!’s DomainKeys.

IF: What are the steps to take to implement sender authentication?
Guerra: Each protocol has its own implementation path that is somewhat dependent on the technologies senders are using to transmit their messages. Senders using internal systems to transmit should make sure their e-mail administrators are well trained in all the prospective protocols and up-to-date on their most recent developments.

Senders who have outsourced their messaging are generally in the best position regarding sender authentication, since the best providers already have or stand ready to implement these procotols when it becomes reasonable to do so.

In either case, senders should conduct comprehensive audits of their e-mail programs to ensure all possible transmissions are included in their authentication efforts. In addition to their marketing efforts, it will be important to implement these technologies in their corporate e-mail systems, transactional messaging and customer service systems.